Vulnerability Name: | CVE-2022-22719 (CCN-221667) |
Assigned: | 2022-03-14 |
Published: | 2022-03-14 |
Updated: | 2022-11-02 |
Summary: | A carefully crafted request body can cause a read to a random memory area which could cause the process to crash. This issue affects Apache HTTP Server 2.4.52 and earlier. |
CVSS v3 Severity: | 7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) 6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)Exploitability Metrics: | Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None | Scope: | Scope (S): Unchanged
| Impact Metrics: | Confidentiality (C): None Integrity (I): None Availibility (A): High | 5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) 4.6 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C)Exploitability Metrics: | Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None | Scope: | Scope (S): Unchanged
| Impact Metrics: | Confidentiality (C): None Integrity (I): None Availibility (A): Low | 7.5 High (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) 6.5 Medium (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)Exploitability Metrics: | Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None | Scope: | Scope (S): Unchanged
| Impact Metrics: | Confidentiality (C): None Integrity (I): None Availibility (A): High |
|
CVSS v2 Severity: | 5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)Exploitability Metrics: | Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None | Impact Metrics: | Confidentiality (C): None Integrity (I): None Availibility (A): Partial | 5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)Exploitability Metrics: | Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
| Impact Metrics: | Confidentiality (C): None Integrity (I): None Availibility (A): Partial |
|
Vulnerability Type: | CWE-665 CWE-908
|
Vulnerability Consequences: | Denial of Service |
References: | Source: MITRE Type: CNA CVE-2022-22719
Source: FULLDISC Type: Mailing List, Third Party Advisory 20220516 APPLE-SA-2022-05-16-4 Security Update 2022-004 Catalina
Source: FULLDISC Type: Mailing List, Third Party Advisory 20220516 APPLE-SA-2022-05-16-3 macOS Big Sur 11.6.6
Source: FULLDISC Type: Mailing List, Third Party Advisory 20220516 APPLE-SA-2022-05-16-2 macOS Monterey 12.4
Source: MLIST Type: Mailing List, Third Party Advisory [oss-security] 20220314 CVE-2022-22719: Apache HTTP Server: mod_lua Use of uninitialized value of in r:parsebody
Source: XF Type: UNKNOWN apache-http-cve202222719-dos(221667)
Source: CCN Type: Apache Web site mod_lua Use of uninitialized value of in r:parsebody
Source: MISC Type: Vendor Advisory https://httpd.apache.org/security/vulnerabilities_24.html
Source: MLIST Type: Mailing List, Third Party Advisory [debian-lts-announce] 20220322 [SECURITY] [DLA 2960-1] apache2 security update
Source: FEDORA Type: Mailing List, Third Party Advisory FEDORA-2022-b4103753e9
Source: FEDORA Type: Mailing List, Third Party Advisory FEDORA-2022-78e3211c55
Source: FEDORA Type: Mailing List, Third Party Advisory FEDORA-2022-21264ec6db
Source: GENTOO Type: Third Party Advisory GLSA-202208-20
Source: CONFIRM Type: Third Party Advisory https://security.netapp.com/advisory/ntap-20220321-0001/
Source: CCN Type: Apple security document HT213255 About the security content of Security Update 2022-004 Catalina
Source: CCN Type: Apple security document HT213256 About the security content of macOS Big Sur 11.6.6
Source: CCN Type: Apple security document HT213257 About the security content of macOS Monterey 12.4
Source: CONFIRM Type: Third Party Advisory https://support.apple.com/kb/HT213255
Source: CONFIRM Type: Third Party Advisory https://support.apple.com/kb/HT213256
Source: CONFIRM Type: Third Party Advisory https://support.apple.com/kb/HT213257
Source: CCN Type: IBM Security Bulletin 6565413 (HTTP Server) Multiple vulnerabilities in IBM HTTP Server used by IBM WebSphere Application Server (CVE-2022-22719, CVE-2022-22720, CVE-2022-22721)
Source: CCN Type: IBM Security Bulletin 6587106 (Netezza Performance Portal) Vulnerabilities in IBM HTTP Server affect IBM Netezza Performance Portal
Source: CCN Type: IBM Security Bulletin 6590977 (Tivoli Monitoring) Multiple vulnerabilities affect IBM Tivoli Monitoring included WebSphere Application Server and IBM HTTP Server used by WebSphere Application Server
Source: CCN Type: IBM Security Bulletin 6591347 (Security SiteProtector System) IBM Security SiteProtector System is affected by multiple Apache HTTP Server Vulnerabilities
Source: CCN Type: IBM Security Bulletin 6602999 (Rational Build Forge) IBM Rational Build Forge is affected by Apache Http Server version used in it. (CVE-2022-22719)
Source: CCN Type: IBM Security Bulletin 6618941 (Aspera Faspex) IBM Aspera Faspex 4.4.2 has addressed multiple security vulnerabilities
Source: CCN Type: IBM Security Bulletin 6837585 (App Connect Enterprise Certified Container) IBM App Connect Enterprise Certified Container DesignerAuthoring operands that use Mapping Assistance may be vulnerable to denial of service due to CVE-2022-22719
Source: CCN Type: IBM Security Bulletin 6952343 (Aspera Orchestrator) IBM Aspera Orchestrator affected by denial of service vulnerability (CVE-2022-22719)
Source: MISC Type: Patch, Third Party Advisory https://www.oracle.com/security-alerts/cpuapr2022.html
|
Vulnerable Configuration: | Configuration 1: cpe:/a:apache:http_server:*:*:*:*:*:*:*:* (Version <= 2.4.52) Configuration 2: cpe:/o:debian:debian_linux:9.0:*:*:*:*:*:*:* Configuration 3: cpe:/o:fedoraproject:fedora:34:*:*:*:*:*:*:*OR cpe:/o:fedoraproject:fedora:35:*:*:*:*:*:*:*OR cpe:/o:fedoraproject:fedora:36:*:*:*:*:*:*:* Configuration 4: cpe:/a:oracle:http_server:12.2.1.3.0:*:*:*:*:*:*:*OR cpe:/a:oracle:http_server:12.2.1.4.0:*:*:*:*:*:*:*OR cpe:/a:oracle:zfs_storage_appliance_kit:8.8:*:*:*:*:*:*:* Configuration 5: cpe:/o:apple:macos:*:*:*:*:*:*:*:* (Version < 10.15.7)OR cpe:/o:apple:mac_os_x:10.15.7:security_update_2020-001:*:*:*:*:*:*OR cpe:/o:apple:mac_os_x:10.15.7:security_update_2021-001:*:*:*:*:*:*OR cpe:/o:apple:mac_os_x:10.15.7:security_update_2021-002:*:*:*:*:*:*OR cpe:/o:apple:mac_os_x:10.15.7:*:*:*:*:*:*:*OR cpe:/o:apple:mac_os_x:10.15.7:security_update_2021-003:*:*:*:*:*:*OR cpe:/o:apple:mac_os_x:10.15.7:security_update_2021-004:*:*:*:*:*:*OR cpe:/o:apple:mac_os_x:10.15.7:security_update_2021-005:*:*:*:*:*:*OR cpe:/o:apple:mac_os_x:10.15.7:security_update_2021-006:*:*:*:*:*:*OR cpe:/o:apple:mac_os_x:10.15.7:security_update_2021-007:*:*:*:*:*:*OR cpe:/o:apple:mac_os_x:10.15.7:security_update_2021-008:*:*:*:*:*:*OR cpe:/o:apple:mac_os_x:10.15.7:security_update_2022-001:*:*:*:*:*:*OR cpe:/o:apple:mac_os_x:10.15.7:security_update_2022-002:*:*:*:*:*:*OR cpe:/o:apple:mac_os_x:10.15.7:security_update_2022-003:*:*:*:*:*:*OR cpe:/o:apple:macos:*:*:*:*:*:*:*:* (Version >= 11.0 and < 11.6.6)OR cpe:/o:apple:macos:*:*:*:*:*:*:*:* (Version >= 12.0.0 and < 12.4) Configuration RedHat 1: cpe:/a:redhat:enterprise_linux:8:*:*:*:*:*:*:* Configuration RedHat 2: cpe:/a:redhat:enterprise_linux:8::appstream:*:*:*:*:* Configuration RedHat 3: cpe:/a:redhat:enterprise_linux:9:*:*:*:*:*:*:* Configuration RedHat 4: cpe:/a:redhat:enterprise_linux:9::appstream:*:*:*:*:* Configuration CCN 1: cpe:/a:apache:http_server:2.4.7:*:*:*:*:*:*:*OR cpe:/a:apache:http_server:2.4.8:*:*:*:*:*:*:*OR cpe:/a:apache:http_server:2.4.9:*:*:*:*:*:*:*OR cpe:/a:apache:http_server:2.4.10:*:*:*:*:*:*:*OR cpe:/a:apache:http_server:2.4.12:*:*:*:*:*:*:*OR cpe:/a:apache:http_server:2.4.18:*:*:*:*:*:*:*OR cpe:/a:apache:http_server:2.4.20:*:*:*:*:*:*:*OR cpe:/a:apache:http_server:2.4.17:*:*:*:*:*:*:*OR cpe:/a:apache:http_server:2.4.23:*:*:*:*:*:*:*OR cpe:/a:apache:http_server:2.4.29:*:*:*:*:*:*:*OR cpe:/a:apache:http_server:2.4.33:*:*:*:*:*:*:*OR cpe:/a:apache:http_server:2.4.30:*:*:*:*:*:*:*OR cpe:/a:apache:http_server:2.4.25:*:*:*:*:*:*:*OR cpe:/a:apache:http_server:2.4.26:*:*:*:*:*:*:*OR cpe:/a:apache:http_server:2.4.27:*:*:*:*:*:*:*OR cpe:/a:apache:http_server:2.4.28:*:*:*:*:*:*:*OR cpe:/a:apache:http_server:2.4.34:*:*:*:*:*:*:*OR cpe:/a:apache:http_server:2.4.35:*:*:*:*:*:*:*OR cpe:/a:apache:http_server:2.4.36:*:*:*:*:*:*:*OR cpe:/a:apache:http_server:2.4.37:*:*:*:*:*:*:*OR cpe:/a:apache:http_server:2.4.38:*:*:*:*:*:*:*OR cpe:/a:apache:http_server:2.4.38:*:*:*:*:*:*:*OR cpe:/a:apache:http_server:2.4.39:*:*:*:*:*:*:*OR cpe:/a:apache:http_server:2.4.16:*:*:*:*:*:*:*OR cpe:/a:apache:http_server:2.4.41:*:*:*:*:*:*:*OR cpe:/a:apache:http_server:2.4.43:*:*:*:*:*:*:*OR cpe:/a:apache:http_server:2.4.46:*:*:*:*:*:*:*OR cpe:/a:apache:http_server:2.4.48:*:*:*:*:*:*:*OR cpe:/a:apache:http_server:2.4.49:*:*:*:*:*:*:*OR cpe:/a:apache:http_server:2.4.50:*:*:*:*:*:*:*OR cpe:/a:apache:http_server:2.4.51:*:*:*:*:*:*:*OR cpe:/a:apache:http_server:2.4.52:*:*:*:*:*:*:*AND cpe:/a:ibm:http_server:7.0:*:*:*:*:*:*:*OR cpe:/a:ibm:http_server:8.0:*:*:*:*:*:*:*OR cpe:/a:ibm:http_server:8.5:*:*:*:*:*:*:*OR cpe:/a:ibm:tivoli_monitoring:6.3.0:*:*:*:*:*:*:*OR cpe:/a:ibm:security_siteprotector_system:3.1.1:*:*:*:*:*:*:*OR cpe:/a:ibm:aspera_faspex:4.4.1:*:*:*:*:*:*:*OR cpe:/a:ibm:app_connect_enterprise_certified_container:4.2:*:*:*:*:*:*:*
Denotes that component is vulnerable |
Oval Definitions |
|
BACK |
apache http server *
debian debian linux 9.0
fedoraproject fedora 34
fedoraproject fedora 35
fedoraproject fedora 36
oracle http server 12.2.1.3.0
oracle http server 12.2.1.4.0
oracle zfs storage appliance kit 8.8
apple macos *
apple mac os x 10.15.7 security_update_2020-001
apple mac os x 10.15.7 security_update_2021-001
apple mac os x 10.15.7 security_update_2021-002
apple mac os x 10.15.7
apple mac os x 10.15.7 security_update_2021-003
apple mac os x 10.15.7 security_update_2021-004
apple mac os x 10.15.7 security_update_2021-005
apple mac os x 10.15.7 security_update_2021-006
apple mac os x 10.15.7 security_update_2021-007
apple mac os x 10.15.7 security_update_2021-008
apple mac os x 10.15.7 security_update_2022-001
apple mac os x 10.15.7 security_update_2022-002
apple mac os x 10.15.7 security_update_2022-003
apple macos *
apple macos *
apache http server 2.4.7
apache http server 2.4.8
apache http server 2.4.9
apache http server 2.4.10
apache http server 2.4.12
apache http server 2.4.18
apache http server 2.4.20
apache http server 2.4.17
apache http server 2.4.23
apache http server 2.4.29
apache http server 2.4.33
apache http server 2.4.30
apache http server 2.4.25
apache http server 2.4.26
apache http server 2.4.27
apache http server 2.4.28
apache http server 2.4.34
apache http server 2.4.35
apache http server 2.4.36
apache http server 2.4.37
apache http server 2.4.38
apache http server 2.4.38
apache http server 2.4.39
apache http server 2.4.16
apache http server 2.4.41
apache http server 2.4.43
apache http server 2.4.46
apache http server 2.4.48
apache http server 2.4.49
apache http server 2.4.50
apache http server 2.4.51
apache http server 2.4.52
ibm http server 7.0
ibm http server 8.0
ibm http server 8.5
ibm tivoli monitoring 6.3.0
ibm security siteprotector system 3.1.1
ibm aspera faspex 4.4.1
ibm app connect enterprise certified container 4.2